Bulk vulnerability fix - Lockfile fix #1
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bulk vulnerability fix - Lockfile fix
This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.
Fixed vulnerabilities:
CVE–2021–3820
Description
Incorrect Comparison
NVD
GitHub
CVSS details - 7.5
References
Inefficient Regular Expression in inflect · CVE-2021-3820 · GitHub Advisory Database · GitHub
NVD - CVE-2021-3820
Fix CVE-2021-3820 · pksunkara/inflect@a9a0a8e · GitHub
Inefficient Regular Expression Complexity vulnerability found in inflect
GitHub - pksunkara/inflect: custom inflections for nodejs
Comparing pksunkara:HEAD...ready-research:Fix-ReDoS · pksunkara/inflect · GitHub
Trying to get in touch regarding a security issue · Issue #31 · pksunkara/inflect · GitHub
CVE–2019–10747
Description
Uncontrolled Resource Consumption
GitHub
NVD
CVSS details - 9.8
References
Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub
NVD - CVE-2019-10747
MLIST
[SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
CVE–2019–20149
Description
Exposure of Resource to Wrong Sphere
GitHub
NVD
CVSS details - 7.5
References
NVD - CVE-2019-20149
Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
type checking · Issue #30 · jonschlinkert/kind-of · GitHub
fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
CVE–2019–10746
Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
GitHub
NVD
CVSS details - 9.8
References
NVD - CVE-2019-10746
Prototype Pollution in mixin-deep · CVE-2019-10746 · GitHub Advisory Database · GitHub
[SECURITY] Fedora 30 Update: nodejs-mixin-deep-1.3.2-1.fc30 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 31 Update: nodejs-mixin-deep-1.3.2-1.fc31 - package-announce - Fedora Mailing-Lists
disallow constructor and prototype keys · jonschlinkert/mixin-deep@8f464c8 · GitHub
GitHub - jonschlinkert/mixin-deep: Deeply mix the properties of objects into the first object, while also mixing-in child objects.
CVE–2020–7729
Description
Insecure Default Initialization of Resource
GitHub
NVD
CVSS details - 7.1
References
[SECURITY] [DLA 2368-1] grunt security update
NVD - CVE-2020-7729
Arbitrary Code Execution in grunt · CVE-2020-7729 · GitHub Advisory Database · GitHub
CONFIRM
Switch to use
safeLoad
for loading YML files viafile.readYAML
. · gruntjs/grunt@e350cea · GitHubUSN-4595-1: Grunt vulnerability | Ubuntu security notices | Ubuntu
grunt/file.js at main · gruntjs/grunt · GitHub
CVE–2020–28282
Description
NVD
GitHub
CVSS details - 9.8
References
NVD - CVE-2020-28282
Prototype pollution vulnerability in 'getobject' · CVE-2020-28282 · GitHub Advisory Database · GitHub
node-getobject/getobject.js at aba04a8e1d6180eb39eff09990c3a43886ba8937 · cowboy/node-getobject · GitHub
CVE-2020-28282 | WhiteSource Vulnerability Database
CVE–2020–7662
Description
GitHub
NVD
CVSS details - 7.5
References
NVD - CVE-2020-7662
Regular Expression Denial of Service in websocket-extensions (NPM package) · CVE-2020-7662 · GitHub Advisory Database · GitHub
ReDoS vulnerability in websocket-extensions – The If Works
Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-node@29496f6 · GitHub
ReDoS vulnerability in Sec-WebSocket-Extensions parser · Advisory · faye/websocket-extensions-node · GitHub
Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser · faye/websocket-extensions-ruby@aa156a4 · GitHub
CVE–2019–10795
Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
NVD
CVSS details - 6.3
References
NVD - CVE-2019-10795
fix: prevent changes in prototype chain · remy/undefsafe@f272681 · GitHub
Related information
📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked